How to configure Confluence Data Center for SAML 2.0 SSO with Okta

Still need help?

The Atlassian Community is here for you.

Ask the community

 

Platform Notice: Data Center Only - This article only applies to Atlassian products on the data center platform.

 

Purpose

Confluence Data Center is bundled with the SSO for Atlassian Server and Data Center App – we will refer to it simply as Atlassian SSO App in the remainder of this document.

With this App, Confluence administrators can configure SSO using SAML 2.0 or OIDC with your preferred Identity Provider (IdP). Check SAML single sign-on for Atlassian Data Center applications for further details on supported IdPs and more information on the SSO App.

This document highlights the steps to integrate Confluence Data Center with Okta for SSO using SAML 2.0.

This document is not intended to be a full reference guide, since you may need to change Okta or Confluence configuration to your Organization's needs. Hence, this describes a sample configuration to have it working.

For any Okta related issue or question, refer to Okta Help Center.

Table of Content

Below is a summary of the steps we will cover in this document:



Install or Update the Atlassian SSO App

SSO capabilities are provided in Confluence Data Center as a Marketplace App. Although you may have this App bundled with Confluence, it's best practice to update it to the latest version supported by your Confluence release, ensuring you are protected from security bugs and is also running with the latest improvements.

Refer to the Atlassian SSO App version history for further details on supported Jira versions and for release notes.

On this example we are using Confluence 7.13.4, and Atlassian SSO App 4.2.1. The latest application version available when this document was written is 4.2.11.

Updating apps explains the options to update an App with Universal Plugin Manager (UPM). If UPM is connected to the internet, it will advise you there's an update available and give you the option to update.

Configure SSO 2.0 on Confluence

To configure SAML 2.0 on Confluence using the Atlassian SSO App, you need to have Jira running with HTTPS. Refer to Running Confluence Over SSL or HTTPS if this isn't configured yet.

  1. Login to Confluence as an administrator and go to  > User Management
  2. Click on SSO 2.0 under USERS & SECURITY
  3. Select SAML Single Sign On from the drop down
  4. Take note of the Assertion Consumer Service URL and Audience URL (Entity ID) under Give these URLs to your identity provider
  5. Leave the Confluence tab open and create a new tab for Create an Application on Okta section

Create an Application on Okta

You will need to create a new application in Okta to make it available to users as Atlassian doesn't provide an Okta Application.

  1. As an Okta administrator, go to Applications and click on Create App Integration.



  2. On the Create a New Application Integration screen, choose the following and click on SAML 2.0
  3. On the General Settings of the Create SAML Integration page, add the information as below and click on Next.
    • App name: it could be any name you would like to be presented to your users; we are using My Company Jira in this example.
  4. On the Configure SAML screen, add the information as below and click on Next.
    • Single sign on URL: Enter the Assertion Consumer Service URL captured in Step 4 under Configure SSO 2.0 on Confluence
    • Audience URI (SP Entity ID): Enter the Audience URL (Entity ID) captured in Step 4 under Configure SSO 2.0 on Confluence
    • Name ID format: EmailAddress; considering users would authenticate to Confluence using their email address.
      • This must match with the username attribute in Confluence's user directory, so you may need to change depending on the desired/used configuration.
    • Application username: Email; considering users would authenticate to Confluence using their email address. If using a different method change accordingly.
      • This must match with the username attribute in Confluence's user directory, so you may need to change depending on the desired/used configuration.
  5. On the Feedback screen, choose the options associated to your company and click on Finish.
  6. The application is now created in Okta and you are sent to the Sign On tab.
  7. Under the Application Sign On Settings, click on the View Setup Instructions to open a new window with information that will be used in the next section.
  8. Now that the Okta integration App is created, keep the How to Configure SAML 2.0 for Confluence Application window opened and go to the next section to configure SAML SSO on Confluence.
    We will get back to the Okta administration later to finish configuring the App.

SAML SSO on Confluence

  1. Return the tab used for Configure SSO 2.0 on Confluence section
  2. On the Single sign-on issuer attribute, use the value from Identity Provider Issuer from Okta's configuration from the previous section.
  3. On the Identity provider single sign-on URL attribute, use the value from Identity Provider Single Sign-On URL from Okta's configuration from the previous section.
  4. On the X.509 Certificate attribute, use the value from X.509 Certificate from Okta's configuration from the previous section.
  5. On the Username mapping attribute, use ${NameID}.
    • This value is used based on the configuration made on Okta on the previous step. You may need to change it depending on your configuration.
  6. Review your configuration
  7. Click on Save Configuration

User Provisioning

Up to this point, we have configured Confluence and Okta but users will not be able to login. User Provisioning can be done in two ways:

  1. Use Confluence to manage Users and Groups and Okta is used just for authentication - (Without JIT); OR
  2. Use Okta to manage Users and Groups - (With JIT)

Without JIT

  1. Create a user (for example: okta-confluence@email.com) in both Okta and Confluence (the user on Confluence can be synced from an remote directory)
  2. In Okta assign the user to the Application
  3. In Confluence ensure the user has the preferred groups and permission
  4. Proceed to log in to Confluence via Okta as the user created in Step 1

With JIT

JIT User Provisioning

  1. Create a desired group on Okta and assign user and the Application created in Create an Application on Okta to the group 
  2. Create Attribute Statements and Group Attribute Statements in Okta

    • Go to the application you just created >> General >> Click on 'Edit' to the right of "SAML Settings"
  3. Enable JIT in Confluence and enter the attribute names in the respective fields
  4. Save the changes
  5. Proceed to log in to Confluence via Okta


Last modified on Nov 22, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.